CVE-2025-48384, assigned a CVSS severity score of 8.1/10, allows attackers to achieve remote code execution through maliciously crafted repositories when users execute git clone –recursive commands. When an attacker crafts a malicious .gitmodules file with submodule paths ending in carriage return characters, Git’s config parser behavior creates a dangerous discrepancy where the character may be stripped during read operations but preserved during write operations. CVE-2025-48384 (CVSS 8.1/10) enables arbitrary file writes on Linux/macOS when using git clone --recursive on malicious repositories. DataDog researchers have identified multiple exploitation pathways that leverage the arbitrary file write primitive to achieve persistent remote code execution. The GitHub Desktop client for macOS is particularly vulnerable because it executes git clone –recursive operations by default under the hood. Working proof-of-concept exploits demonstrating arbitrary writes to /tmp directories have been validated by security researchers and are publicly accessible. Users can verify their current Git version by executing git –version and comparing against the vulnerable version ranges including v2.50.0, v2.49.0, v2.48.0-v2.48.1, v2.47.0–v2.47.2, v2.46.0–v2.46.3, v2.45.0-v2.45.3, v2.44.0–v2.44.3, and v2.43.6 and prior. Once the malicious repository is cloned, attackers can write Git Hook scripts contained within the repository’s submodules directly to the victim’s .git subdirectory.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 15 Jul 2025 11:15:13 +0000